You need to walk before you can run
TASK 1 What nmap scanning switch employs the use of default scripts during a scan?
nmap中用于使用默认脚本的参数是:-sC
TASK 2 What service version is found to be running on port 21?
21端口上运行的服务版本是:vsftpd 3.0.3
nmap -sV 10.129.70.59
TASK 3 What FTP code is returned to us for the “Anonymous FTP login allowed” message?
FTP中允许匿名登录的返回代码是:230
TASK 4 What command can we use to download the files we find on the FTP server?
用于下载FTP服务器文件的命令是:get
TASK 5 What is one of the higher-privilege sounding usernames in the list we retrieved?
获取到的用户名列表中,听起来权限更高的用户名是:admin
1、登录FTP服务器,使用匿名登录
2、查看文件列表,发现userlist
3、下载userlist到本地,查看列表
4、列表中看起来权限更高的也就admin
TASK 6 What version of Apache HTTP Server is running on the target host?
靶机上运行的Apache HTTP服务版本是:2.4.41
nmap -sV 10.129.70.59
TASK 7 What is the name of a handy web site analysis plug-in we can install in our browser?
浏览器中方便分析网站的插件是:wappalyzer
TASK 8 What switch can we use with gobuster to specify we are looking for specific filetypes?
gobuster中用于查找特定类型文件的参数是:-x
TASK 9 What file have we found that can provide us a foothold on the target?
可以用于发动攻击的文件是:login.php
直接打开dirsearch开扫,发现了login.php可以利用
Submit root flag
1、访问/login.php,发现是个登录页面
2、之前在FTP服务器中发现了用户名文件和密码文件,一起下载下来
3、查看这两个文件,用admin和rKXM59ESxesUFHAd进行登录
4、登录成功即可获得flag